Amazon Web Services (AWS) offers a feature-rich environment for hosting and managing cloud-based applications on a flexible, highly scalable infrastructure. However, security remains a challenge. Amazon Security Hub and Amazon GuardDuty provide some visibility into log data and security events in AWS environments, but they lack advanced analytics and other features needed to detect and respond to threats.
Rapid7 InsightIDR is a fast-to-deploy cloud-based SIEM designed to quickly detect sophisticated attacks. It aggregates data from AWS sources like CloudTrail and GuardDuty, together with information from on-premises networks, endpoints, and other cloud platforms. It employs User Behavior Analytics (UBA), industry-leading threat intelligence, and automated workflows to help security teams uncover and investigate threats in AWS environments and across the organization’s entire IT footprint.
InsightIDR is integrated with critical AWS services, making it easy to collect detailed log data from:
- AWS CloudTrail, which monitors and logs account activity and administrative actions on services such as the AWS Management Console, AWS SDKs, and command line tools
- AWS GuardDuty, which provides insight into potentially malicious activity inside AWS - including things like misuse of credentials and privilege escalation
Beyond native integrations, the Insight Agent can be installed on AWS EC2 instances, allowing InsightIDR to pull back real-time EDR telemetry to detect malicious activity and processes, collect forensic data on-demand, and contain threats by killing processes or isolating the instance from the network.
InsightIDR also allows for the installation of honeypots in any AWS environment through a native AMI. An alert in InsightIDR is triggered whenever a potential attacker tries to access these honeypots. In addition, InsightIDR can collect any data through it's AWS SQS integration. This includes items such as VPC flow logs and Route 53 DNS logs.
InsightIDR combines log data from these services with information from hundreds of other sources across the enterprise, normalizes and enriches the data, and makes it available for searching, reporting and analysis by security teams.
InsightIDR’s User Behavior Analytics measures baseline activities by users and generates alerts when it detects anomalous actions such as atypical authentication requests and unusual single sign-on (SSO) activities. It enables security teams to uncover threat actors using stolen user credentials. Rapid7’s SIEM solution also generates alerts based on behaviors that indicate the suspicious use of computing resources and compromised administrative credentials. These include:
- Activities in new AWS regions
- Use of new AWS services
- Provisioning of new types of virtual machines (for example, a service optimized for cryptocurrency mining)
InsightIDR provides pre-built detections, and organizations can also build custom alerts based on AWS CloudTrail activities. For example, they can create custom alerts that flag actions to access, modify, and remove objects in S3 buckets.
GuardDuty alerts can be sent to InsightIDR, so security teams can follow up immediately, using the full power of InsightIDR to correlate data from multiple platforms, retrace user behaviors, pivot to additional log sets, and directly query AWS resources with the Rapid7 Insight Agent.
InsightIDR supports cloud reporting and compliance requirements for monitoring, audit logging, and data retention. It can show auditors where logs are stored, confirm the appropriate log history and retention, and demonstrate that the right log sources are represented.
InsightIDR’s intuitive dashboard can provide executives and board members with high-level information about the enterprise’s threat landscape, such as trending attacks, applications and areas of the network most subject to attack, and threats that have been extinguished.
As a native cloud-based tool, InsightIDR can scale up rapidly to support increased activity and new applications on the AWS platform.
Because InsightIDR is designed to integrate quickly and seamlessly with new data sources, enterprises are able to collect and analyze data from new AWS services when they are introduced.